United States of America: Closed Extended Consultation on Standardising Cybersecurity Requirements for Federal Information Systems (FAR Case No. 2021-0019)

On 2 February, the Federal Acquisition Regulatory Council (FAR Council) closed the consultation, after the extesion of the initial deadline, on a proposed rule change in the Federal Acquisition Regulation (FAR) to establish standardised cybersecurity requirements for unclassified Federal Information Systems (FIS). The proposed rule aims to enhance the security of IoT devices used or operated by federal agencies, contractors, or other organizations on behalf of an agency. It is based on recommendations from Executive Order (E.O.) 14028 and parts of the Internet of Things (IoT) Cybersecurity Improvement Act of 2020. The rule change intends to introduce standardized contract language to unify requirements and improve compliance for contractors and the government. The proposed rule includes two new FAR clauses for contracts involving services to develop, implement, operate, or maintain an FIS, and extends to contracts that fall below the simplified acquisition threshold and the acquisition of commercial products and services.